Vulnerability disclosure: the Code Red lessons
The Code Red sequence has clarified the disclosure-versus-deployment timing problem in ways that the more abstract debate has not. A walk through what the data teaches.
Notes from the field
Writing
Long-form thinking on cyber defence, detection, and resilience — from Slackware-era honeypots through to AI-driven SOC analytics.
Showing posts tagged policy — 5 results.
A small data-classification framework
Helping a friend build a small data-classification framework has been more useful than I expected. A walk through the structure I recommend for organisations without one.
Spam, before it becomes the year's headline
Spam volume on the relays I run has grown substantially over the past quarter. The structural problem is becoming visible enough that 2001 will be the year spam dominates the mail-security conversation.
Disclosure under NDA: when secrecy is the right choice
I have spent the past month reviewing a vulnerability for a vendor under a non-disclosure agreement. The exercise has clarified my thinking about when NDA-mediated disclosure is appropriate.
Vulnerability disclosure: CERT versus full disclosure
The disclosure conversation has been quietly maturing all year. CERT's coordinated disclosure model and Bugtraq's full disclosure model are converging in interesting ways. A walk through where things now stand.